Sophos UTM 9.4 VPN Configuration

Recommended Posts

mattb75 16

mattb75
16

I'm looking for some help configuring a L2TP VPN server on my UTM box as for the life of me I can't get it to authenticate and it's driving me mad!!

I've been using the PPTP VPN option within Sophos on my iPhone and Windows 7 & 10 laptops when away from home but now iOS 10 has been released and removed support for PPTP I need to bite the bullet and move to a more secure protocol.

I'd already created a user account and password for each device which needed a VPN account for PPTP and reading the official Sophos L2TP over IPSec guide this should be fine for L2TP as well.

Within the Remote Access > L2TP over IPSec menu I've now created a shared secret authentication and added the user accounts to the approved users list.

When I try and connect the logs show the connection initiates but then fails due to an authentication failure. I've triple checked the pass codes and they are all entered correctly.

I've even tried creating a new VM of Sophos and doing the configuration from scratch but it still fails to connect.

The UTM is sitting on the DMZ of a residential router which has its firewall disabled and all traffic directed to the DMZ - it is a double NAT however, although I don't think this is the cause (PPTP worked without issue and so does HTML5 VPN however that option isn't practical for all use cases so I need the L2TP to work).

The router doesn't have VPN capabilities.

Has anyone managed to get this type of VPN working on Sophos and if so, could you give share your learnings to help out?

I've turned on debugging and noticed something strange. Even though the user account for the VPN connection is called 'VPN-iPhone6S' when the log picks up the connection attempt its recording it firstly as 'L_VPN-Work' and then as 'D_matt' neither of which are configured within the VPN settings of my iPhone connection.

Share this post

Link to post

Share on other sites

Jason 75

Jason
75

Yes, it works. I use it. Install the OpenVPN iOS client on your device. Then point your iOS web browser to the Sophos UTM user portal page and login with the user credentials of the user you wish to authorize for VPN. Upon login you'll have options to download the OpenVPN config and it will insert it into your iOS OpenVPN client. I use it frequently.

Share this post

Link to post

Share on other sites

mattb75 16

mattb75
16

Yes, it works. I use it. Install the OpenVPN iOS client on your device. Then point your iOS web browser to the Sophos UTM user portal page and login with the user credentials of the user you wish to authorize for VPN. Upon login you'll have options to download the OpenVPN config and it will insert it into your iOS OpenVPN client. I use it frequently.

Share this post

Link to post

Share on other sites

mattb75 16

mattb75
16

Still can't get it to work - tried from a Windows 10 PC as well by installing the SSL VPN client software.

The issue is "certificate verify failed" and "unable to get issuer certificate"

I have in the past messed around with a Root Certificate Authority for my domain and added that into the Sophos UTM as well, even when I create a new certificate within UTM and allocate that to the SSL VPN server it still looks like it's trying to find the older certificate for verification (I've cleared and downloaded the conf file several times to check it's not caching the old one).

Suspect I need to blow away UTM and re-install from scratch but don't really want to lose all my logs and device/user configs but hey ho....!